MRatWork Forum by Mustafa Ramadhan

Sawo Project - Kloxo-MR Discussions => Kloxo-MR Technical Helps => Topic started by: fossxplorer on 2014-09-07, 20:48:25

Title: Auto block brute force IPs
Post by: fossxplorer on 2014-09-07, 20:48:25

These days my Kloxo-MR is subject to SPAM source and i see brute force attacks:
Sep  7 20:42:16 mail pop3: 1410115336.674823 tcpserver: ok 30641 :111.111.111.186:110 :125.79.18.13::42216
Sep  7 20:42:16 mail pop3: 1410115336.703615 tcpserver: status: 2/200
Sep  7 20:42:16 mail pop3: 1410115336.703777 tcpserver: pid 30642 from 125.79.18.13
Sep  7 20:42:16 mail pop3: 1410115336.715509 tcpserver: ok 30642 :111.111.111.187:110 :125.79.18.13::42221
Sep  7 20:42:17 mail vpopmail[30643]: vchkpw-pop3: vpopmail user not found terence@:125.79.18.13
Sep  7 20:42:17 mail pop3: 1410115337.240255 tcpserver: end 30641 status 256
Sep  7 20:42:17 mail pop3: 1410115337.240281 tcpserver: status: 1/200
Sep  7 20:42:17 mail vpopmail[30645]: vchkpw-pop3: vpopmail user not found roger@:125.79.18.13
Sep  7 20:42:17 mail pop3: 1410115337.294012 tcpserver: end 30642 status 256
Sep  7 20:42:17 mail pop3: 1410115337.294036 tcpserver: status: 0/200
Sep  7 20:42:17 mail pop3: 1410115337.795501 tcpserver: status: 1/200
Sep  7 20:42:17 mail pop3: 1410115337.795665 tcpserver: pid 30647 from 125.79.18.13
Sep  7 20:42:17 mail pop3: 1410115337.807689 tcpserver: ok 30647 :111.111.111.186:110 :125.79.18.13::42237
Sep  7 20:42:17 mail pop3: 1410115337.863795 tcpserver: status: 2/200
Sep  7 20:42:17 mail pop3: 1410115337.863894 tcpserver: pid 30648 from 125.79.18.13
Sep  7 20:42:17 mail pop3: 1410115337.875716 tcpserver: ok 30648 :111.111.111.187:110 :125.79.18.13::42239
Sep  7 20:42:18 mail vpopmail[30649]: vchkpw-pop3: vpopmail user not found terra@:125.79.18.13
Sep  7 20:42:18 mail pop3: 1410115338.373194 tcpserver: end 30647 status 256
Sep  7 20:42:18 mail pop3: 1410115338.373213 tcpserver: status: 1/200
Sep  7 20:42:18 mail vpopmail[30651]: vchkpw-pop3: vpopmail user not found rolph@:125.79.18.13
Sep  7 20:42:18 mail pop3: 1410115338.454994 tcpserver: end 30648 status 256
Sep  7 20:42:18 mail pop3: 1410115338.455023 tcpserver: status: 0/200
Sep  7 20:42:18 mail pop3: 1410115338.929154 tcpserver: status: 1/200
Sep  7 20:42:18 mail pop3: 1410115338.929252 tcpserver: pid 30653 from 125.79.18.13
Sep  7 20:42:18 mail pop3: 1410115338.941129 tcpserver: ok 30653 :111.111.111.186:110 :125.79.18.13::42252
Sep  7 20:42:19 mail pop3: 1410115339.024847 tcpserver: status: 2/200
Sep  7 20:42:19 mail pop3: 1410115339.025068 tcpserver: pid 30654 from 125.79.18.13
Sep  7 20:42:19 mail pop3: 1410115339.036617 tcpserver: ok 30654 :111.111.111.187:110 :125.79.18.13::42255
Sep  7 20:42:19 mail vpopmail[30655]: vchkpw-pop3: vpopmail user not found terry@:125.79.18.13
Sep  7 20:42:19 mail pop3: 1410115339.507209 tcpserver: end 30653 status 256
Sep  7 20:42:19 mail pop3: 1410115339.507228 tcpserver: status: 1/200
Sep  7 20:42:19 mail vpopmail[30657]: vchkpw-pop3: vpopmail user not found ron@:125.79.18.13
Sep  7 20:42:19 mail pop3: 1410115339.615602 tcpserver: end 30654 status 256
Sep  7 20:42:19 mail pop3: 1410115339.615623 tcpserver: status: 0/200
Sep  7 20:42:20 mail pop3: 1410115340.063113 tcpserver: status: 1/200
Sep  7 20:42:20 mail pop3: 1410115340.063220 tcpserver: pid 30659 from 125.79.18.13
Sep  7 20:42:20 mail pop3: 1410115340.074952 tcpserver: ok 30659 :111.111.111.186:110 :125.79.18.13::42271
Sep  7 20:42:20 mail pop3: 1410115340.185521 tcpserver: status: 2/200
Sep  7 20:42:20 mail pop3: 1410115340.185681 tcpserver: pid 30660 from 125.79.18.13
Sep  7 20:42:20 mail pop3: 1410115340.197146 tcpserver: ok 30660 :111.111.111.187:110 :125.79.18.13::42273
Sep  7 20:42:20 mail vpopmail[30661]: vchkpw-pop3: vpopmail user not found tess@:125.79.18.13
Sep  7 20:42:20 mail pop3: 1410115340.640672 tcpserver: end 30659 status 256
Sep  7 20:42:20 mail pop3: 1410115340.640707 tcpserver: status: 1/200
Sep  7 20:42:20 mail vpopmail[30663]: vchkpw-pop3: vpopmail user not found rona@:125.79.18.13
Sep  7 20:42:20 mail pop3: 1410115340.776253 tcpserver: end 30660 status 256
Sep  7 20:42:20 mail pop3: 1410115340.776293 tcpserver: status: 0/200
Sep  7 20:42:21 mail pop3: 1410115341.196262 tcpserver: status: 1/200
Sep  7 20:42:21 mail pop3: 1410115341.196339 tcpserver: pid 30665 from 125.79.18.13
Sep  7 20:42:21 mail pop3: 1410115341.208570 tcpserver: ok 30665 :111.111.111.186:110 :125.79.18.13::42290
Sep  7 20:42:21 mail pop3: 1410115341.346176 tcpserver: status: 2/200
Sep  7 20:42:21 mail pop3: 1410115341.346295 tcpserver: pid 30666 from 125.79.18.13
Sep  7 20:42:21 mail pop3: 1410115341.358027 tcpserver: ok 30666 :111.111.111.187:110 :125.79.18.13::42292
Sep  7 20:42:21 mail pop3: 1410115341.765119 tcpserver: end 30665 status 256
Sep  7 20:42:21 mail pop3: 1410115341.765155 tcpserver: status: 1/200
Sep  7 20:42:21 mail vpopmail[30667]: vchkpw-pop3: vpopmail user not found ronald@:125.79.18.13
Sep  7 20:42:21 mail pop3: 1410115341.936432 tcpserver: end 30666 status 256
Sep  7 20:42:21 mail pop3: 1410115341.936452 tcpserver: status: 0/200
Sep  7 20:42:22 mail pop3: 1410115342.506626 tcpserver: status: 1/200
Sep  7 20:42:22 mail pop3: 1410115342.506751 tcpserver: pid 30669 from 125.79.18.13
Sep  7 20:42:22 mail pop3: 1410115342.518482 tcpserver: ok 30669 :111.111.111.187:110 :125.79.18.13::42305
Sep  7 20:42:23 mail vpopmail[30670]: vchkpw-pop3: vpopmail user not found ronda@:125.79.18.13
Sep  7 20:42:23 mail pop3: 1410115343.097308 tcpserver: end 30669 status 256
Sep  7 20:42:23 mail pop3: 1410115343.097328 tcpserver: status: 0/200
Sep  7 20:42:23 mail pop3: 1410115343.668684 tcpserver: status: 1/200
Sep  7 20:42:23 mail pop3: 1410115343.668852 tcpserver: pid 30672 from 125.79.18.13
Sep  7 20:42:23 mail pop3: 1410115343.680233 tcpserver: ok 30672 :111.111.111.187:110 :125.79.18.13::42326
Sep  7 20:42:24 mail vpopmail[30673]: vchkpw-pop3: vpopmail user not found ronny@:125.79.18.13
Sep  7 20:42:24 mail pop3: 1410115344.262892 tcpserver: end 30672 status 256
Sep  7 20:42:24 mail pop3: 1410115344.262908 tcpserver: status: 0/200
Sep  7 20:42:24 mail pop3: 1410115344.835405 tcpserver: status: 1/200

Now i wonder, is there a way to auto block IPs from the " mail vpopmail[30673]: vchkpw-pop3: vpopmail user not found ronny@:125.79.18.13" after say 5 attempts?
I've installed CSF, is there an option to read mail logs from qmail? Or do i have to use fail2ban?

@chrisf, have you any setups that auto block IPs that fails many auth attempts?

Thanks!

Title: Re: Auto block brute force IPs
Post by: chrisf on 2014-09-08, 17:20:12

Yes, we have a custom module for CSF that blocks brute force on mailserver, we are a hosting company ;)

Title: Re: Auto block brute force IPs
Post by: fossxplorer on 2014-09-08, 22:56:54

I.e you have created a module with "custom logs" which scans your logs and blocks failed attempts?

Quote from: chrisf on 2014-09-08, 17:20:12

Yes, we have a custom module for CSF that blocks brute force on mailserver, we are a hosting company ;)

Title: Re: Auto block brute force IPs
Post by: johnnyto1979 on 2014-09-09, 14:49:31

Hi.
Fail2ban .. easy way

Title: Re: Auto block brute force IPs
Post by: MRatWork on 2014-09-09, 14:56:22

Read http://comments.gmane.org/gmane.mail.vpopmail/21913